EP1379053A1 - Method for transferring a user-ID password pair, and a wireless network - Google Patents

Method for transferring a user-ID password pair, and a wireless network Download PDF

Info

Publication number
EP1379053A1
EP1379053A1 EP03396054A EP03396054A EP1379053A1 EP 1379053 A1 EP1379053 A1 EP 1379053A1 EP 03396054 A EP03396054 A EP 03396054A EP 03396054 A EP03396054 A EP 03396054A EP 1379053 A1 EP1379053 A1 EP 1379053A1
Authority
EP
European Patent Office
Prior art keywords
data transmission
network
user
wireless
transmission terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP03396054A
Other languages
German (de)
French (fr)
Other versions
EP1379053B1 (en
Inventor
Harri Jokela
Ilkka Keisala
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
TELIA FINLAND OYJ
Original Assignee
TeliaSonera Finland Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by TeliaSonera Finland Oyj filed Critical TeliaSonera Finland Oyj
Publication of EP1379053A1 publication Critical patent/EP1379053A1/en
Application granted granted Critical
Publication of EP1379053B1 publication Critical patent/EP1379053B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management

Definitions

  • the invention relates to a method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between a visited network and a home network, and to a wireless network.
  • a wireless network and a wireless data transmission terminal refer to wireless data transmission systems implemented with a wireless local area network (WLAN) or short-range radio transceivers, for example, in which roaming known from mobile communication systems can be implemented.
  • Roaming is a function that enables the use of services in each particular location area of the user when the user moves from one network to another with a wireless data transmission terminal, for example from a home network (HN) administered by a domestic operator on domestic ground to a visited network (VN) administered by a foreign operator abroad.
  • HN home network
  • VN visited network
  • the authentication can utilize a user-ID password pair, which are transferred from the wireless data transmission terminal to the visited network and which the visited network transfers to the home network in order to authenticate the user.
  • IP Internet protocol
  • TCP/lP Transmission Control Protocol / Internet Protocol
  • An object of the invention is to provide an improved method for transferring a user-ID password pair of a user of a wireless data transmission terminal between a visited network and a home network, and an improved wireless network.
  • An aspect of the invention is a method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between the visited network and the home network, comprising: establishing a data transmission connection between the visited network and the home network by using existing connections of the signalling system No. 7; using in the data transmission connection for the transfer of the user-ID password pair such a mobile system protocol that has not been specified for the transfer of a user-ID password pair between the visited network and the home network; transferring the user-ID password pair of the user of the wireless data transmission terminal from the roaming network to the home network by using the data transmission connection.
  • An aspect of the invention is a wireless network comprising: a service access point for establishing a connection to a roaming wireless data transmission terminal; an authentication server connected to the service access point for authenticating the user of the wireless data transmission terminal, which authentication server is configured to transfer the user-ID password pair of the user of the roaming wireless data transmission terminal to the home network by using a data transmission connection; and a gateway connected to the authentication server for establishing a data transmission connection between the authentication server of the visited network and the authentication server of the home network by using existing signalling system No. 7 connections, and by using in the data transmission connection for the transfer of the user-ID password pair such a mobile system protocol that has not been specified for transferring a user-ID password pair between the visited network and the home network.
  • the invention is based on using existing signalling system No. 7 connections and an existing mobile system protocol in a new manner for transferring a user-ID password pair of a wireless network.
  • a plurality of advantages is achieved with the invention. It allows implementation of roaming between two wireless networks in a simple manner by using a user-ID password pair instead of SIM (Subscriber Identity Module) authentication.
  • SIM Subscriber Identity Module
  • the solution utilizes existing signalling No. 7 connections, whereby there is no need to set up new IP connections between the visited network and the home network, for example.
  • FIG. 1 illustrates a simplified example of the structure of a wireless network and its interfaces.
  • the wireless network 132 is in our example a visited network from the viewpoint of a wireless data transmission terminal 100, because the user of the wireless data transmission terminal 100 has originally received an access right to the network from a home network 134.
  • the data transmission terminal 100 is capable of establishing a bidirectional data transmission connection 140 to a service access point 102, in other words it can be, for example, a portable computer, a PDA (Personal Digital Assistant) or a device of the type of Nokia Communicator®.
  • the data transmission terminal 100 is provided with a card implementing a wireless local area network, with a Bluetooth® transceiver, or with other technology enabling bidirectional data transmission and implementation of the roaming concept.
  • the data transmission terminal 100 also contains an antenna, a user interface and a battery.
  • there is a variety of data transmission terminals 100 for instance terminals mounted in a car, or portable ones.
  • the visited network 132 comprises a service access point (SAP) 102, to which the data transmission terminal 100 is connectable with a connection 140.
  • the service access point 102 forms what is called an access zone (also known as a hotspot), for instance in an office, a university campus, a hotel or an airport, where local area network connections are offered to users. Users of portable computers, for example, can be provided with a rapid wireless broadband service via the access zone.
  • the visited network 132 comprises an authentication server 106 connected to the service access point 102.
  • the service access point 102 is configured to use a wireless local area network for implementing the connection 140 to the wireless data transmission terminal 100.
  • a wireless local area network a physical cable is replaced with a radio connection, a microwave connection, or an infrared connection.
  • a wireless local area network may be, for example, a wireless local area network according to the IEEE (the Institute of Electrical and Electronics Engineers, Inc.) standard 802.11 or 802.11b. It may also be called wireless Ethernet. WECA (Wireless Ethernet Compatibility Alliance) is a cooperation body formed by numerous companies that has registered the trademark WiFi® (Wireless Fidelity), the purpose of which is to ensure compatibility of devices according to standard 802.11.
  • WiFi® Wireless Fidelity
  • the service access point 102 comprises a short-range radio transceiver for implementing the connection 140 to the wireless data transmission terminal 100.
  • the short-range transceiver may be, for example, a radio transceiver according to Bluetooth® technology. According to Bluetooth® technology, it is possible to manufacture an integrated circuit, which can be positioned in both the service access point 102 and the wireless data transmission terminal 100, and with which a radio connection 140 having a range of a few hundred meters at most can be implemented at a frequency of 2.4 gigahertz.
  • the radio transceiver can naturally be implemented with other known radio technologies enabling a bidirectional data transmission connection.
  • the task of the service access point 102 is to function as a port through which the data transmission services of the visited network 132 are offered to the data transmission terminal 100.
  • the service access point of the wireless local area network can function as the service access point 102, the service access point serving as a wireless Ethernet bridge to the local area network.
  • the service access point 102 thus comprises a radio module for implementing radio connections, as well as software and hardware required for data encryption of radio connections.
  • the service access point 102 may also comprise an external modem which allows implementation of a dial-up access to an Internet service provider (ISP), in which case the service access point 102 may contain a firewall implemented with NAT (Network Address Translation) technology, for instance, for protecting the local area network.
  • ISP Internet service provider
  • NAT Network Address Translation
  • the visited network 132 may also comprise an access controller (AC) 104 between the service access point 102 and the authentication server 106, which access controller functions as a gateway between the access zone and the Internet. It is thus possible to connect to a WWW (World-Wide Web) server from the visited network 132 via the access controller 104, the data transmission terminal 100 being able to exchange information with the WWW server after authentication.
  • the access controller 104 attends to authentication of users, for example, monitors the use of the network in real time and collects information for billing.
  • the service access point 100 and the access controller 104 may be separate network elements or they can be integrated into one network element.
  • the authentication server 106 may be an AAA server (Authentication, Authorization and Accounting), in which case it attends not only to the authentication of the user, i.e. the alleged identity of the user, but also to authorization and accounting to bill for the use.
  • the authentication server 106 can thus use an AAA protocol defined by the IETF (Internet Engineering Task Force), for instance the Radius protocol (Remote Authentication Dial-in User Service, RADIUS) or the Diameter protocol.
  • RADIUS Remote Authentication Dial-in User Service
  • the proxy 108 is responsible for further transmitting the authentication requests from the authentication server 106 of the visited network 132 to the authentication server 118 of the home network 134.
  • the authentication request contains the roaming user's user-ID password pair.
  • authentication domains (known also as authentication realms), in which data is stored on users and access rights. Users of different network operators can be divided into different authentication domains in order to find the right authentication server.
  • the authentication domains can be defined in files of the proxy 108, for instance. If the user is the visited network's 132 own user, the authentication server 106 performs authentication locally after it has received the user-ID password pair from the data transmission terminal 100 in connection with the login.
  • the user of the data transmission terminal 100 is not the visited network's own user but a roaming user, in which case the user-ID password pair is transferred from the authentication server 106 of the visited network 132 to the authentication server 118 of the home network 134.
  • the authentication server 118 of the home network 134 may also comprise a proxy 120.
  • the authentication server 118 also comprises a database 122, in which the access rights are determined.
  • the authentication server 106 comprises a database, but for the sake of clarity, it is not shown in Figure 1, because the information required for authenticating the roaming data transmission terminal 100 have been determined in the database 122 of the authentication server 118 of the home network 134.
  • the roaming function is a functional entity in the mobility management (MM), which enables correct routing of a call when a user moves with his mobile telephone from a home mobile system to a visited mobile system.
  • mobile stations include the second generation GSM (Global System for Mobile Communications), the 2.5-generation GPRS (General Packet Radio System) or EGPRS (Enhanced GPRS) based on the GSM, and a third generation UMTSD (Universal Mobile Telecommunications System).
  • GSM Global System for Mobile Communications
  • GPRS General Packet Radio System
  • EGPRS Enhanced GPRS
  • UMTSD Universal Mobile Telecommunications System
  • the roaming function can be simpler than in mobile systems. If it is only desirable to establish the data transmission connection 140 with the data transmission terminal 100 to the service access point 102 in order to be able to search information in a server in the Internet, the correct call routing is not naturally needed, but only user authentication is required, in other words checking whether the user has the access right to the service access point 102 in question.
  • the access right is based on there being an agreement between the operator of the home network 134 and the operator of the visited network 132, which agreement gives the user of the home network 134 a right to use the service access point 102 of the visited network.
  • the visited network 132 thus comprises a service access point 102 for establishing a connection 140 to the roaming wireless data transmission terminal 100, and an authentication server 106 connected to the service access point 102 for authenticating the user of the wireless data transmission terminal 100.
  • the authentication server 106 is configured to transfer the user-lD password pair of the user of the roaming wireless data transmission terminal 100 to the authentication server 118 of the home network 134 by using the data transmission connection.
  • the visited network 132 comprises a gateway 110 connected to the authentication server 106 for establishing a data transmission connection between the authentication server 106 and the home network 134 by using existing signalling system No. 7 connections 130.
  • SS7 refers to a common channel signalling system defined by the ITU-T (International Telecommunication Union - Telecommunication Standardization Sector), the operation of which system is optimized for digital telecommunication networks.
  • ITU-T International Telecommunication Union - Telecommunication Standardization Sector
  • the use of SS7 is described in US patents 5,640,446; 5,966,431 and 6,324,183, for instance, which are incorporated as reference herein.
  • the network operators of both the visited network 132 and the home network 134 are also mobile system operators.
  • the SS7 connections can be implemented by using existing SS7 connections 130 between operators' mobile systems.
  • An SS7 connection 150 between a mobile services switching centre 112 of the visited network's 132 operator and a mobile services switching centre 114 of the home network's 134 operator is shown of the existing SS7 connections 130.
  • the home network 134 comprises a gateway 116 between the mobile services switching centre 114 and the authentication server 118.
  • the data transmission connection between the gateway 110, 116 and the mobile services switching centre 112, 114 uses also SS7 connections 148, 152.
  • the network elements 102, 104, 106 and 110 of the visited network 132 are connected to each other with IP connections 142, 144, 146, and in the same way, the network elements 116, 118 of the home network are connected to each other with an IP connection 154, but it is obvious that in the visited network 132 and/or the home network 134 any suitable protocol can be used in the traffic between network elements.
  • the gateway 110 is configured to use in a data transmission connection for the transfer of the user-ID password pair such a mobile system protocol that has not been specified for transferring a user-ID password pair between the visited network 132 and the home network 134.
  • the mobile system protocol not being specified for this particular purpose means that the protocol is not, according to the mobile system specifications defining it, intended for this purpose, and that the protocol has not been used for this purpose in known mobile system implementations so far. In other words, the protocol is used in a way that deviates from what it was designed for.
  • MAP protocol mobile application part protocol
  • the user ID-password pair is placed in such a protocol-conforming message/field into which it fits with regard its size.
  • a singallnfo field of a size of 200 octets, i.e. 1 600 bits, can be used for transferring the user-ID password pair.
  • the message description shown also contains a description of the response message prepareHO-Res, so the signallnfo field in the response message can also be used for transferring an authentication response.
  • the response message can also be used for acknowledgement; in other words, the home network uses the response message for informing the visited network that it has received the user-ID password pair.
  • the actual authentication response can thus be transmitted by using either the same response message type or another message appropriate for the purpose.
  • An agreed field can be used for transferring the user-ID password pair encrypted, and another field can be used for transferring information on encryption keys of the connection 140 to be established between the data transmission terminal 100 and the service access point 102, for instance.
  • the short-message protocol can be used in such a way that the user-ID password pair is placed in one or more short messages in the authentication server 106, the short messages being then placed for example in MAP protocol messages in the gateway 110.
  • the gateway 110 is thus configured to place the user-ID password pair in at least one message of the mobile system protocol.
  • the gateway 100 thus encapsulates the user-ID password pair in the mobile system protocol.
  • US patent 5,864,761 incorporated as reference herein, describes the use of the MAP protocol in connection with SS7 to implement traffic within one mobile communication system.
  • the user-ID password pair of the user 100 of the roaming data transmission terminal 100 is thus transferred from the authentication server 106 of the visited network 132 via the gateway 110, SS7 network 130 and gateway 116 to the authentication server 118 of the home network 134, where the authentication is actually performed.
  • the response to the authentication is transmitted in the opposite order from the authentication centre 118 of the home network 134 to the authentication server 106 of the visited network 132.
  • the response contains information on whether the user of the data transmission terminal 100 has an access right to the data transmission services provided by the visited network 132.
  • the gateway 110 is configured to retrieve from a mapping table the address information on the home network 134 of the roaming wireless data transmission terminal 100 to establish a data transmission connection.
  • the mapping table contains, for example, the SS7 address of the mobile services switching centre 114 of the home network 134, for example what is called a global title (GT).
  • the authentication servers 106, 118 use the Radius protocol, in which case the gateway 110 is configured to place parameters conforming to the Radius protocol in the protocol of the mobile communication system.
  • consecutive numbering can be used in the Radius protocol to identify the authentication response belonging to the user-ID password pair; in other words, for example number X is placed in the message used for transferring the user-ID password pair, the same number X being placed in the message used for transferring the authentication response.
  • the gateway 110 is configured to transfer billing information on the connection 140 established with the user-ID password pair between the wireless data transmission terminal 100 and the visited network 132 to the home network 134 by using the mobile system protocol.
  • the service access point 102, the access controller 104, the authentication server 106, the proxy 108 and the gateway 110 comprise data transmission hardware, with which the network element in question communicates with other network elements, and a control unit controlling the operation of the network element, presently implemented as a processor with software, but also different hardware implementations are feasible, for instance a circuit constructed of separate logic components or one or more application-specific integrated circuits (ASIC).
  • ASIC application-specific integrated circuits
  • the integration degree of the network elements 102, 104, 106, 108, 110 can vary.
  • the network elements can be separate or combined.
  • the service access point 102 and the access controller 104 can be integrated into one device.
  • the authentication server 106 and the proxy 108 can be integrated into one device.
  • the network elements 102, 104, 106, 108, 110 can also be implemented as plug-in units mounted on a rack.
  • the plug-in units communicate with each other for instance via a back plane attached to the rear part of the rack.
  • the network elements 102, 104, 106, 108, 110 are implemented as plug-in units, their assembly can be easily changed, if desired, for example when the network is extended.
  • the desired integration degree and decentralization/centralization degree of data processing can be determined flexibly. In large networks the network element can thus be dedicated for only certain tasks, whereas in small networks one network element can be responsible for several tasks described separately in Figure 1.
  • FIG. 2 a method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between the visited network and the home network.
  • Figure 3 illustrates possible signalling between different network elements.
  • Performing the method begins in 200 when the user of the roaming wireless data transmission terminal 100 wishes to use a service access point.
  • a connection can be established in the method between the visited network and the wireless data transmission network by using a wireless local area network, short-range radio transceivers or other technology appropriate for the purpose.
  • the roaming network Upon the login, the roaming network obtains the user-ID password pair given to the user.
  • the visited network identifies, for example on the basis of the domain name after the @-sign in the user ID, e.g. sonera.com, that the user is a roaming user.
  • the wireless data transmission network 100 transmits its user ID with the network identifier and its password in a message 300 to the service access point 102, which further transmits a message 302 to the access controller 104.
  • the access controller 104 transmits an access request 304 to the authentication server / proxy 106/108, which transmits the access request to the gateway 110.
  • the user of the wireless data transmission terminal is authenticated in the home network on the basis of the user-ID password pair.
  • an authentication response is transmitted in 210 from the home network to the visited network by using a data transmission connection.
  • the authentication response 312 is transmitted from the authentication server / proxy 118/120 to the gateway 116, from which the authentication response is transmitted in a MAP prepareHO-Res message 314 to the gateway 110 by using SS7 connections.
  • the gateway 110 unloads the MAP message 314 in question and transmits the authentication response to the authentication server / proxy 106/108.

Abstract

The invention relates to a method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between a visited network and a home network, and to a wireless network. The wireless network comprises a service access point (102) for establishing a connection (140) to a roaming wireless data transmission terminal (100); and an authentication server (106) connected to the service access point (102) for authenticating the user of the wireless data transmission terminal (100), which authentication server (106) is configured to transfer the user-ID password pair of the user of the roaming wireless data transmission terminal (100) to the home network (134) by using a data transmission connection. The wireless network further comprises a gateway (110) connected to the authentication server (106) for establishing a data transmission connection between the authentication server (106) of the visited network (132) and the authentication server (118) of the home network (134) by using existing signalling system No. 7 connections (130), and by using in the data transmission connection for the transfer of a user-ID password pair such a mobile system protocol that has not been specified for transferring a user-ID password pair between the visited network (132) and the home network (134).

Description

    FIELD
  • The invention relates to a method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between a visited network and a home network, and to a wireless network.
    • BACKGROUND
  • In the present application, a wireless network and a wireless data transmission terminal refer to wireless data transmission systems implemented with a wireless local area network (WLAN) or short-range radio transceivers, for example, in which roaming known from mobile communication systems can be implemented. Roaming is a function that enables the use of services in each particular location area of the user when the user moves from one network to another with a wireless data transmission terminal, for example from a home network (HN) administered by a domestic operator on domestic ground to a visited network (VN) administered by a foreign operator abroad.
  • One important function during roaming is the authentication of the user of a wireless data transmission terminal. The authentication can utilize a user-ID password pair, which are transferred from the wireless data transmission terminal to the visited network and which the visited network transfers to the home network in order to authenticate the user.
  • In accordance with prior art, a data transmission connection is established between the visited network and the home network by using an Internet protocol (IP), for instance the TCP/lP (Transmission Control Protocol / Internet Protocol), the user-ID password pair being transferred in this data transmission connection. The solution requires set-up of new IP connections between the home network and visited network, often in practice between different operators.
    • BRIEF DESCRIPTION
  • An object of the invention is to provide an improved method for transferring a user-ID password pair of a user of a wireless data transmission terminal between a visited network and a home network, and an improved wireless network.
  • An aspect of the invention is a method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between the visited network and the home network, comprising: establishing a data transmission connection between the visited network and the home network by using existing connections of the signalling system No. 7; using in the data transmission connection for the transfer of the user-ID password pair such a mobile system protocol that has not been specified for the transfer of a user-ID password pair between the visited network and the home network; transferring the user-ID password pair of the user of the wireless data transmission terminal from the roaming network to the home network by using the data transmission connection.
  • An aspect of the invention is a wireless network comprising: a service access point for establishing a connection to a roaming wireless data transmission terminal; an authentication server connected to the service access point for authenticating the user of the wireless data transmission terminal, which authentication server is configured to transfer the user-ID password pair of the user of the roaming wireless data transmission terminal to the home network by using a data transmission connection; and a gateway connected to the authentication server for establishing a data transmission connection between the authentication server of the visited network and the authentication server of the home network by using existing signalling system No. 7 connections, and by using in the data transmission connection for the transfer of the user-ID password pair such a mobile system protocol that has not been specified for transferring a user-ID password pair between the visited network and the home network.
  • Some embodiments of the invention are described in the dependent claims.
  • The invention is based on using existing signalling system No. 7 connections and an existing mobile system protocol in a new manner for transferring a user-ID password pair of a wireless network.
  • A plurality of advantages is achieved with the invention. It allows implementation of roaming between two wireless networks in a simple manner by using a user-ID password pair instead of SIM (Subscriber Identity Module) authentication. The solution utilizes existing signalling No. 7 connections, whereby there is no need to set up new IP connections between the visited network and the home network, for example.
    • LIST OF FIGURES
  • The invention will now be described in greater detail in connection with preferred embodiments, with reference to the attached drawings, of which
  • Figure 1 is a simplified block diagram illustrating the structure and interfaces of a wireless network;
  • Figure 2 is a flow chart illustrating a method for transferring a user-ID password pair of the user of a roaming wireless data transmission terminal between a visited network and a home network; and
  • Figure 3 is a signal sequence diagram showing, in a simplified manner, transfer of a user-ID password pair and an authentication response between network elements.
    • DESCRIPTION OF EMBODIMENTS
  • Figure 1 illustrates a simplified example of the structure of a wireless network and its interfaces. The wireless network 132 is in our example a visited network from the viewpoint of a wireless data transmission terminal 100, because the user of the wireless data transmission terminal 100 has originally received an access right to the network from a home network 134.
  • The data transmission terminal 100 is capable of establishing a bidirectional data transmission connection 140 to a service access point 102, in other words it can be, for example, a portable computer, a PDA (Personal Digital Assistant) or a device of the type of Nokia Communicator®. The data transmission terminal 100 is provided with a card implementing a wireless local area network, with a Bluetooth® transceiver, or with other technology enabling bidirectional data transmission and implementation of the roaming concept. Typically, the data transmission terminal 100 also contains an antenna, a user interface and a battery. At present, there is a variety of data transmission terminals 100, for instance terminals mounted in a car, or portable ones.
  • The visited network 132 comprises a service access point (SAP) 102, to which the data transmission terminal 100 is connectable with a connection 140. The service access point 102 forms what is called an access zone (also known as a hotspot), for instance in an office, a university campus, a hotel or an airport, where local area network connections are offered to users. Users of portable computers, for example, can be provided with a rapid wireless broadband service via the access zone. Further, the visited network 132 comprises an authentication server 106 connected to the service access point 102.
  • In an embodiment, the service access point 102 is configured to use a wireless local area network for implementing the connection 140 to the wireless data transmission terminal 100. In a wireless local area network, a physical cable is replaced with a radio connection, a microwave connection, or an infrared connection. A wireless local area network may be, for example, a wireless local area network according to the IEEE (the Institute of Electrical and Electronics Engineers, Inc.) standard 802.11 or 802.11b. It may also be called wireless Ethernet. WECA (Wireless Ethernet Compatibility Alliance) is a cooperation body formed by numerous companies that has registered the trademark WiFi® (Wireless Fidelity), the purpose of which is to ensure compatibility of devices according to standard 802.11.
  • In an embodiment, the service access point 102 comprises a short-range radio transceiver for implementing the connection 140 to the wireless data transmission terminal 100. The short-range transceiver may be, for example, a radio transceiver according to Bluetooth® technology. According to Bluetooth® technology, it is possible to manufacture an integrated circuit, which can be positioned in both the service access point 102 and the wireless data transmission terminal 100, and with which a radio connection 140 having a range of a few hundred meters at most can be implemented at a frequency of 2.4 gigahertz. The radio transceiver can naturally be implemented with other known radio technologies enabling a bidirectional data transmission connection.
  • The use of both a wireless local area network and a short-range radio transceiver has the great advantage that the frequency band defined for them is usually readily available, so that the network operator does not have to reserve certain frequencies for its use at high costs, owing to which the prize of the service can be lowered for the end user. The situation is different in mobile systems, such as in the UMTS (Universal Mobile Telecommunications System) recently, where the price of a frequency band can rise very high.
  • The task of the service access point 102 is to function as a port through which the data transmission services of the visited network 132 are offered to the data transmission terminal 100. If the data transmission connection 140 is implemented with a wireless local area network, the service access point of the wireless local area network can function as the service access point 102, the service access point serving as a wireless Ethernet bridge to the local area network. The service access point 102 thus comprises a radio module for implementing radio connections, as well as software and hardware required for data encryption of radio connections. The service access point 102 may also comprise an external modem which allows implementation of a dial-up access to an Internet service provider (ISP), in which case the service access point 102 may contain a firewall implemented with NAT (Network Address Translation) technology, for instance, for protecting the local area network.
  • The visited network 132 may also comprise an access controller (AC) 104 between the service access point 102 and the authentication server 106, which access controller functions as a gateway between the access zone and the Internet. It is thus possible to connect to a WWW (World-Wide Web) server from the visited network 132 via the access controller 104, the data transmission terminal 100 being able to exchange information with the WWW server after authentication. The access controller 104 attends to authentication of users, for example, monitors the use of the network in real time and collects information for billing. Depending on the volume of traffic in the visited network 132, the service access point 100 and the access controller 104 may be separate network elements or they can be integrated into one network element.
  • The authentication server 106 may be an AAA server (Authentication, Authorization and Accounting), in which case it attends not only to the authentication of the user, i.e. the alleged identity of the user, but also to authorization and accounting to bill for the use. The authentication server 106 can thus use an AAA protocol defined by the IETF (Internet Engineering Task Force), for instance the Radius protocol (Remote Authentication Dial-in User Service, RADIUS) or the Diameter protocol. In connection with the authentication server 106 or as part of it, there is a proxy 108. The proxy 108 is responsible for further transmitting the authentication requests from the authentication server 106 of the visited network 132 to the authentication server 118 of the home network 134. The authentication request contains the roaming user's user-ID password pair. In roaming, two network operators allow their users to use services of either network 132, 134. Selection of the authentication server used for authentication of the roaming user is based on authentication domains (known also as authentication realms), in which data is stored on users and access rights. Users of different network operators can be divided into different authentication domains in order to find the right authentication server. The authentication domains can be defined in files of the proxy 108, for instance. If the user is the visited network's 132 own user, the authentication server 106 performs authentication locally after it has received the user-ID password pair from the data transmission terminal 100 in connection with the login. In the example, the user of the data transmission terminal 100 is not the visited network's own user but a roaming user, in which case the user-ID password pair is transferred from the authentication server 106 of the visited network 132 to the authentication server 118 of the home network 134. In the manner shown, the authentication server 118 of the home network 134 may also comprise a proxy 120. Further, the authentication server 118 also comprises a database 122, in which the access rights are determined. Naturally also the authentication server 106 comprises a database, but for the sake of clarity, it is not shown in Figure 1, because the information required for authenticating the roaming data transmission terminal 100 have been determined in the database 122 of the authentication server 118 of the home network 134.
  • In mobile systems, the roaming function is a functional entity in the mobility management (MM), which enables correct routing of a call when a user moves with his mobile telephone from a home mobile system to a visited mobile system. Examples of mobile stations include the second generation GSM (Global System for Mobile Communications), the 2.5-generation GPRS (General Packet Radio System) or EGPRS (Enhanced GPRS) based on the GSM, and a third generation UMTSD (Universal Mobile Telecommunications System). If required, further information on mobile systems and a roaming function can be found in specifications, for instance in the GSM and UMTS system specifications and in the literature of the field, such as in Introduction to 3G Mobile Communications. Arthech House 2001. ISBN 1-58053-287-X by Juha Korhonen.
  • Inthe wireless network 132, 134 described here, the roaming function can be simpler than in mobile systems. If it is only desirable to establish the data transmission connection 140 with the data transmission terminal 100 to the service access point 102 in order to be able to search information in a server in the Internet, the correct call routing is not naturally needed, but only user authentication is required, in other words checking whether the user has the access right to the service access point 102 in question. In our example, the access right is based on there being an agreement between the operator of the home network 134 and the operator of the visited network 132, which agreement gives the user of the home network 134 a right to use the service access point 102 of the visited network.
  • The visited network 132 thus comprises a service access point 102 for establishing a connection 140 to the roaming wireless data transmission terminal 100, and an authentication server 106 connected to the service access point 102 for authenticating the user of the wireless data transmission terminal 100. In the manner described above, the authentication server 106 is configured to transfer the user-lD password pair of the user of the roaming wireless data transmission terminal 100 to the authentication server 118 of the home network 134 by using the data transmission connection. Further, the visited network 132 comprises a gateway 110 connected to the authentication server 106 for establishing a data transmission connection between the authentication server 106 and the home network 134 by using existing signalling system No. 7 connections 130. The signalling system No. 7 (SS7) refers to a common channel signalling system defined by the ITU-T (International Telecommunication Union - Telecommunication Standardization Sector), the operation of which system is optimized for digital telecommunication networks. The use of SS7 is described in US patents 5,640,446; 5,966,431 and 6,324,183, for instance, which are incorporated as reference herein.
  • In the example of Figure 1, the network operators of both the visited network 132 and the home network 134 are also mobile system operators. Thus, the SS7 connections can be implemented by using existing SS7 connections 130 between operators' mobile systems. An SS7 connection 150 between a mobile services switching centre 112 of the visited network's 132 operator and a mobile services switching centre 114 of the home network's 134 operator is shown of the existing SS7 connections 130. As described in Figure 1, also the home network 134 comprises a gateway 116 between the mobile services switching centre 114 and the authentication server 118. The data transmission connection between the gateway 110, 116 and the mobile services switching centre 112, 114 uses also SS7 connections 148, 152. In the example of Figure 1, the network elements 102, 104, 106 and 110 of the visited network 132 are connected to each other with IP connections 142, 144, 146, and in the same way, the network elements 116, 118 of the home network are connected to each other with an IP connection 154, but it is obvious that in the visited network 132 and/or the home network 134 any suitable protocol can be used in the traffic between network elements.
  • The gateway 110 is configured to use in a data transmission connection for the transfer of the user-ID password pair such a mobile system protocol that has not been specified for transferring a user-ID password pair between the visited network 132 and the home network 134. The mobile system protocol not being specified for this particular purpose means that the protocol is not, according to the mobile system specifications defining it, intended for this purpose, and that the protocol has not been used for this purpose in known mobile system implementations so far. In other words, the protocol is used in a way that deviates from what it was designed for. One example of such a protocol is a mobile application part protocol (MAP protocol). The user ID-password pair is placed in such a protocol-conforming message/field into which it fits with regard its size. In addition, known methods can be used for encrypting messages, as far as the encryption method is known to both the visited network 132 and the home network 134. The following shows a prepareHandover message conforming to the MAP protocol, described with ASN.1 (Abstract Syntax Notation One) and taken from the GSM specification 09.02 (Version 6.1.1 Release 1997):
  • prepareHandover OPERATION
    Figure 00080001
    Figure 00090001
    Figure 00100001
  • For instance a singallnfo field of a size of 200 octets, i.e. 1 600 bits, can be used for transferring the user-ID password pair. The message description shown also contains a description of the response message prepareHO-Res, so the signallnfo field in the response message can also be used for transferring an authentication response. The response message can also be used for acknowledgement; in other words, the home network uses the response message for informing the visited network that it has received the user-ID password pair. The actual authentication response can thus be transmitted by using either the same response message type or another message appropriate for the purpose.
  • An agreed field can be used for transferring the user-ID password pair encrypted, and another field can be used for transferring information on encryption keys of the connection 140 to be established between the data transmission terminal 100 and the service access point 102, for instance. Also the short-message protocol can be used in such a way that the user-ID password pair is placed in one or more short messages in the authentication server 106, the short messages being then placed for example in MAP protocol messages in the gateway 110. The gateway 110 is thus configured to place the user-ID password pair in at least one message of the mobile system protocol. In practice, the gateway 100 thus encapsulates the user-ID password pair in the mobile system protocol. US patent 5,864,761, incorporated as reference herein, describes the use of the MAP protocol in connection with SS7 to implement traffic within one mobile communication system.
  • The user-ID password pair of the user 100 of the roaming data transmission terminal 100 is thus transferred from the authentication server 106 of the visited network 132 via the gateway 110, SS7 network 130 and gateway 116 to the authentication server 118 of the home network 134, where the authentication is actually performed. The response to the authentication is transmitted in the opposite order from the authentication centre 118 of the home network 134 to the authentication server 106 of the visited network 132. The response contains information on whether the user of the data transmission terminal 100 has an access right to the data transmission services provided by the visited network 132.
  • In an embodiment, the gateway 110 is configured to retrieve from a mapping table the address information on the home network 134 of the roaming wireless data transmission terminal 100 to establish a data transmission connection. The mapping table contains, for example, the SS7 address of the mobile services switching centre 114 of the home network 134, for example what is called a global title (GT).
  • In an embodiment, the authentication servers 106, 118 use the Radius protocol, in which case the gateway 110 is configured to place parameters conforming to the Radius protocol in the protocol of the mobile communication system. In addition, consecutive numbering can be used in the Radius protocol to identify the authentication response belonging to the user-ID password pair; in other words, for example number X is placed in the message used for transferring the user-ID password pair, the same number X being placed in the message used for transferring the authentication response.
  • In an embodiment, the gateway 110 is configured to transfer billing information on the connection 140 established with the user-ID password pair between the wireless data transmission terminal 100 and the visited network 132 to the home network 134 by using the mobile system protocol.
  • The service access point 102, the access controller 104, the authentication server 106, the proxy 108 and the gateway 110 comprise data transmission hardware, with which the network element in question communicates with other network elements, and a control unit controlling the operation of the network element, presently implemented as a processor with software, but also different hardware implementations are feasible, for instance a circuit constructed of separate logic components or one or more application-specific integrated circuits (ASIC). The advantage of a software implementation is that it is easy to maintain: the above-described operation of network elements is thus implemented for instance as program modules that can be updated more easily than a hardware solution.
  • Also a combination of different implementations is feasible. When selecting the implementation for performing the configuration, those skilled in the art will take into account the requirements for the current consumption of the device, required processing power, manufacturing costs, production volumes and requirements for the updating and maintenance, for example. Depending on the extent of the traffic and geographical extent of the network 132, the integration degree of the network elements 102, 104, 106, 108, 110 can vary. The network elements can be separate or combined. As mentioned earlier, the service access point 102 and the access controller 104 can be integrated into one device. In the same way, the authentication server 106 and the proxy 108 can be integrated into one device. The network elements 102, 104, 106, 108, 110 can also be implemented as plug-in units mounted on a rack. In such a case, the plug-in units communicate with each other for instance via a back plane attached to the rear part of the rack. When the network elements 102, 104, 106, 108, 110 are implemented as plug-in units, their assembly can be easily changed, if desired, for example when the network is extended. In the same way, the desired integration degree and decentralization/centralization degree of data processing can be determined flexibly. In large networks the network element can thus be dedicated for only certain tasks, whereas in small networks one network element can be responsible for several tasks described separately in Figure 1.
  • The following describes, with reference to the flow chart of Figure 2, a method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between the visited network and the home network. At the same time, reference is made to Figure 3, which illustrates possible signalling between different network elements. Performing the method begins in 200 when the user of the roaming wireless data transmission terminal 100 wishes to use a service access point. A connection can be established in the method between the visited network and the wireless data transmission network by using a wireless local area network, short-range radio transceivers or other technology appropriate for the purpose. Upon the login, the roaming network obtains the user-ID password pair given to the user. The visited network identifies, for example on the basis of the domain name after the @-sign in the user ID, e.g. sonera.com, that the user is a roaming user. In Figure 3, the wireless data transmission network 100 transmits its user ID with the network identifier and its password in a message 300 to the service access point 102, which further transmits a message 302 to the access controller 104. The access controller 104 transmits an access request 304 to the authentication server / proxy 106/108, which transmits the access request to the gateway 110.
  • Next, a data transmission connection is established in 202 between the visited network and the home network by using existing signalling system No. 7 connections. In accordance with 204, such a protocol is used in the data transmission connection for transferring the user-ID password pair that has not been specified for the transfer of a user-ID password pair between the visited network and the home network. The protocol of the mobile communication system can be a mobile application part protocol or another mobile system protocol suitable for the purpose. In an embodiment, the user-ID password pair is placed in at least one message of the mobile system protocol. In an embodiment, parameters according to the Radius protocol are placed in the mobile system protocol. In an embodiment, a data transmission connection is established in the authentication server of the home network, in which the authentication of the user of the wireless data transmission terminal is performed. In an embodiment, the address information on the home network of the roaming wireless data transmission terminal is retrieved from the mapping table to establish a data transmission connection.
  • Next, in 206, the user-ID password pair of the user of the wireless data transmission terminal is transferred from the visited network to the home network by using the data transmission connection. In Figure 3, the user-ID password pair is transferred in a MAP prepareHandover message 308 from the gateway 110 of the visited network 132 to the gateway 116 of the home network 134 by using SS7 connections. As seen from Figure 3, it is not necessary to transfer the network identifier in the message 308, because the gateway 110 identified with it where the SS7 connection was to be established. Next, the gateway 116 of the home network 134 transmits an access request 310 unloaded from the MAP prepareHandover message to the authentication server / proxy 118, 120.
  • In accordance with 208, the user of the wireless data transmission terminal is authenticated in the home network on the basis of the user-ID password pair. Subsequently, an authentication response is transmitted in 210 from the home network to the visited network by using a data transmission connection. In Figure 3, the authentication response 312 is transmitted from the authentication server / proxy 118/120 to the gateway 116, from which the authentication response is transmitted in a MAP prepareHO-Res message 314 to the gateway 110 by using SS7 connections. The gateway 110 unloads the MAP message 314 in question and transmits the authentication response to the authentication server / proxy 106/108.
  • In accordance with 212, the visited network acts in accordance with the authentication response. In other words, an access right to the visited network is given to the roaming user if the authentication was successful in the home network; otherwise it is not given. In Figure 3, the authentication result 318 is reported to the access controller 318.
  • Performance of the method is terminated in 216. Before terminating the method, billing information on the connection established with the user-ID password pair between the wireless data transmission terminal and the visited network can optionally be transferred to the home network by using a mobile system protocol in accordance with 214. Devices described in connection with Figure 1 can be used for implementing the method, but also other kinds of environments are possible.
  • Although the invention has been described above with reference to the example according to the attached drawings, it is obvious that the invention is not restricted to it but can be modified in a plurality of ways within the inventive idea of the attached claims.

Claims (17)

  1. A method for transferring a user-ID password pair of a user of a roaming wireless data transmission terminal between a visited network and a home network, comprising:
    transferring (206) the user-ID password pair of the user of the wireless data transmission terminal from the visited network to the home network by using a data transmission connection;
       characterized by the method further comprising:
    establishing (202) a data transmission connection between the visited network and the home network by using existing connections of the signalling system No. 7; and
    using (204) in the data transmission connection for the transfer of the user-ID password pair such a mobile system protocol that has not been specified for the transfer of a user-ID password pair between the roaming network and the home network.
  2. A method according to claim 1, characterized by retrieving from a mapping table the address information on the home network of the roaming wireless data transmission terminal to establish the data transmission connection.
  3. A method according to claim 1,characterized by placing parameters conforming to the Radius protocol (Remote Authentication Dial-In User Service) in the mobile system protocol.
  4. A method according to claim 1, characterized by the user-ID password pair being placed in at least one message of the mobile system protocol.
  5. A method according to claim 1, characterized by the mobile system protocol being a mobile application part protocol.
  6. A method according to claim 1, characterized by the method further comprising: establishing a connection between the visited network and the wireless data transmission terminal by using a wireless local area network.
  7. A method according to claim 1, characterized by the method further comprising: establishing a connection between the visited network and the wireless data transmission connection by using short-range radio transceivers.
  8. A method according to claim 1, characterized by the method further comprising: transferring billing information on the connection established between the wireless data transmission terminal and the visited network to the home network by using the mobile system protocol.
  9. A method according to claim 1,characterized by the data transmission connection being established to the authentication server of the home network, where the user of the wireless data transmission terminal is authenticated.
  10. A wireless network, comprising:
    a service access point (102) for establishing a connection (140) to a roaming wireless data transmission terminal (100);
    an authentication server (106) connected to the service access point (102) for authenticating the user of the wireless data transmission terminal (100), which authentication server (106) is configured to transfer the user-ID password pair of the user of the roaming wireless data transmission terminal (100) to a home network (134) by using a data transmission connection;
       characterized in that the wireless network further comprises:
    a gateway (110) connected to the authentication server (106) for establishing a data transmission connection between the authentication server (110) of a visited network (132) and the authentication server (118) of the home network (134) by using existing signalling system No. 7 connections (130), and by using in the data transmission connection for the transfer of a user-ID password pair such a mobile system protocol that has not been specified for transferring a user-ID password pair between the visited network (132) and the home network (134).
  11. A wireless network according to claim 10, characterized in that the gateway (110) is configured to retrieve from a mapping table the address information on the home network (134) of the roaming wireless data transmission terminal (100) to establish the data transmission connection.
  12. A wireless network according to claim 10, characterized in that the gateway (110) is configured to place parameters conforming to the Radius (Remote Authentication Dial-In User Service) protocol in the mobile system protocol.
  13. A wireless network according to claim 10, characterized in that the gateway (110) is configured to place the user-ID password pair in at least one message of the mobile system protocol.
  14. A wireless network according to claim 10, characterized in that the mobile system protocol is a mobile application part protocol.
  15. A wireless network according to claim 10, characterized in that the service access point (102) is configured to use a wireless local area network for implementing the connection (140) to the wireless data transmission terminal (100).
  16. A wireless network according to claim 10, characterized in that the service access point (102) comprises a short-range radio transceiver for implementing the connection (140) to the wireless data transmission terminal (100).
  17. A wireless network according to claim 10, characterized in that the gateway (110) is configured to transfer billing information on the connection (140) established between the wireless data transmission terminal (100) and the visited network (132) to the home network by using the mobile system protocol.
EP03396054.3A 2002-06-20 2003-06-06 Method for transferring a user-id password pair, and a wireless network Expired - Lifetime EP1379053B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20021217A FI113322B (en) 2002-06-20 2002-06-20 Method of transmitting a user identification password pair and a wireless network
FI20021217 2002-06-20

Publications (2)

Publication Number Publication Date
EP1379053A1 true EP1379053A1 (en) 2004-01-07
EP1379053B1 EP1379053B1 (en) 2017-11-15

Family

ID=8564208

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03396054.3A Expired - Lifetime EP1379053B1 (en) 2002-06-20 2003-06-06 Method for transferring a user-id password pair, and a wireless network

Country Status (3)

Country Link
EP (1) EP1379053B1 (en)
DK (1) DK1379053T3 (en)
FI (1) FI113322B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1571802A1 (en) * 2004-03-04 2005-09-07 TeliaSonera Finland Oyj Collecting accounting information in telecommunications system
EP1587250A1 (en) * 2004-04-14 2005-10-19 AboCom Systems, Inc. VPN accelerator card for secure roaming
WO2005111826A1 (en) 2004-05-19 2005-11-24 Matsushita Electric Industrial Co., Ltd. Communication system
GB2420055A (en) * 2004-11-09 2006-05-10 Ericsson Telefon Ab L M Secure network service access
CN1299537C (en) * 2004-06-28 2007-02-07 华为技术有限公司 Method for realizing management of connecting visit network using general weight discrimination frame
GB2435117A (en) * 2006-02-10 2007-08-15 Rabbit Point Ltd Automatic roaming authentication in IP-based communication
EP2215803A1 (en) * 2007-11-27 2010-08-11 TeliaSonera AB Network access authentication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5640446A (en) * 1995-05-01 1997-06-17 Mci Corporation System and method of validating special service calls having different signaling protocols
EP0912026A2 (en) * 1997-10-14 1999-04-28 Lucent Technologies Inc. Registration scheme for network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5640446A (en) * 1995-05-01 1997-06-17 Mci Corporation System and method of validating special service calls having different signaling protocols
EP0912026A2 (en) * 1997-10-14 1999-04-28 Lucent Technologies Inc. Registration scheme for network

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1571802A1 (en) * 2004-03-04 2005-09-07 TeliaSonera Finland Oyj Collecting accounting information in telecommunications system
EP1587250A1 (en) * 2004-04-14 2005-10-19 AboCom Systems, Inc. VPN accelerator card for secure roaming
WO2005111826A1 (en) 2004-05-19 2005-11-24 Matsushita Electric Industrial Co., Ltd. Communication system
EP1752883A1 (en) * 2004-05-19 2007-02-14 Matsushita Electric Industrial Co., Ltd. Communication system
EP1752883A4 (en) * 2004-05-19 2010-12-29 Panasonic Corp Communication system
CN1299537C (en) * 2004-06-28 2007-02-07 华为技术有限公司 Method for realizing management of connecting visit network using general weight discrimination frame
GB2420055A (en) * 2004-11-09 2006-05-10 Ericsson Telefon Ab L M Secure network service access
GB2435117A (en) * 2006-02-10 2007-08-15 Rabbit Point Ltd Automatic roaming authentication in IP-based communication
EP2215803A1 (en) * 2007-11-27 2010-08-11 TeliaSonera AB Network access authentication
EP2215803A4 (en) * 2007-11-27 2011-01-05 Teliasonera Ab Network access authentication
US9241264B2 (en) 2007-11-27 2016-01-19 Teliasonera Ab Network access authentication for user equipment communicating in multiple networks

Also Published As

Publication number Publication date
DK1379053T3 (en) 2018-02-19
FI20021217A (en) 2003-12-21
EP1379053B1 (en) 2017-11-15
FI20021217A0 (en) 2002-06-20
FI113322B (en) 2004-03-31

Similar Documents

Publication Publication Date Title
Ala-Laurila et al. Wireless LAN access network architecture for mobile operators
EP1741308B1 (en) Improved subscriber authentication for unlicensed mobile access network signaling
JP6339713B2 (en) Method for activating user, method for authenticating user, method for controlling user traffic, method for controlling user connection of 3G traffic Wi-Fi network and 3G traffic routing system
EP1495585B1 (en) Method and system for authenticating user of data transfer device
US7522907B2 (en) Generic wlan architecture
US8538426B2 (en) Controlling and enhancing handoff between wireless access points
JP4832756B2 (en) Method and system for performing GSM authentication during WLAN roaming
EP1552646B1 (en) Method and apparatus enabling reauthentication in a cellular communication system
US20030139180A1 (en) Private cellular network with a public network interface and a wireless local area network extension
US20060126584A1 (en) Method for user equipment selection of a packet data gateway in a wireless local network
WO2004102876A1 (en) Radio lan access authentication system
WO2000002406A2 (en) System and method for authentication in a mobile communications system
US9038144B2 (en) Mobility protocol selection by an authorization system
US20050107100A1 (en) Method of modifying parameters of user terminal, radio system and user terminal
NO342167B1 (en) Authentication in mobile collaboration systems
EP1379053B1 (en) Method for transferring a user-id password pair, and a wireless network
EP1372298A1 (en) Method of transferring user data of a data transmission device of a wireless local area network, and wireless local area network system
EP1176760A1 (en) Method of establishing access from a terminal to a server
CN100591032C (en) Method for the transmission of information via IP networks
KR100485517B1 (en) Apparatus and method of user authentication for WLAN system
KR20110136343A (en) System and method for roaming service of portable terminal, and service server
EP1448000B1 (en) Method and system for authenticating a subscriber
EP1521429B1 (en) Delivering additional information needed in connection setup
CN116321103A (en) Communication method, device, server and storage medium
KR20110138681A (en) System and method for roaming service using usim, and service server

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

17P Request for examination filed

Effective date: 20040426

AKX Designation fees paid

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AXX Extension fees paid

Extension state: LT

Payment date: 20040426

Extension state: LV

Payment date: 20040426

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 29/06 20060101AFI20170421BHEP

Ipc: H04W 8/00 20090101ALI20170421BHEP

Ipc: H04W 12/06 20090101ALI20170421BHEP

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 8/00 20090101ALN20170509BHEP

Ipc: H04W 12/06 20090101ALI20170509BHEP

Ipc: H04L 29/06 20060101AFI20170509BHEP

INTG Intention to grant announced

Effective date: 20170522

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: TELIA FINLAND OYJ

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: LT LV

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: GB

Ref legal event code: FG4D

Ref country code: AT

Ref legal event code: REF

Ref document number: 947300

Country of ref document: AT

Kind code of ref document: T

Effective date: 20171115

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 60350772

Country of ref document: DE

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

REG Reference to a national code

Ref country code: DK

Ref legal event code: T3

Effective date: 20180216

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 947300

Country of ref document: AT

Kind code of ref document: T

Effective date: 20171115

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180216

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20180215

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 60350772

Country of ref document: DE

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 16

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

26N No opposition filed

Effective date: 20180817

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20180830

Year of fee payment: 16

Ref country code: FR

Payment date: 20180830

Year of fee payment: 16

Ref country code: NL

Payment date: 20180830

Year of fee payment: 16

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DK

Payment date: 20180830

Year of fee payment: 16

Ref country code: GB

Payment date: 20180830

Year of fee payment: 16

Ref country code: SE

Payment date: 20180830

Year of fee payment: 16

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20180630

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180606

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180630

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180606

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180630

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20180630

REG Reference to a national code

Ref country code: DE

Ref legal event code: R119

Ref document number: 60350772

Country of ref document: DE

REG Reference to a national code

Ref country code: DK

Ref legal event code: EBP

Effective date: 20190630

REG Reference to a national code

Ref country code: SE

Ref legal event code: EUG

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190607

REG Reference to a national code

Ref country code: NL

Ref legal event code: MM

Effective date: 20190701

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20190606

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190701

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190606

Ref country code: DE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20200101

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20030606

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20171115

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190630

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20190630